The block cipher CRYPTON is designed based on the latter approach. In fact, its design is much influenced by SQUARE. CRYPTON processes each date blaock by representing into a 4x4 byte array as in SQUARE. The round trasformation of CRYPTON consists of four parallelizable steps: byte-wise sustitutions, column-wise bit permutation, column-to-row transposition, and then key addition. The encryption process invloves 12 repetitions of (essentially) the same round transformation. The decryption process can be made the same as the encryption process, except that diferrent subkeys are applied in each round. Figure 1 shows the high level structure of CRYPTON.
The block cipher CRYPTON has the following features:
- 12-round self-reciprocal cipher with block length of 128 bits.
- Key lengths supported: 64 + 32k(0 <= k <= 6) bits(may allow any number of key lenght up to 256 bits).
- Identical process for encryption and decryption(with different subkeys).
- Strong security against existing attacks: e.g. diffrential and linear cryptanalysis require more cyphertexts than available.
- High parallelism for fast implementation in both software and hardware.
- Tradeoffs between speed and memory: Standard software implementation of CRYPTON requires 512 bytes of storage for 8x8 substution boxes(S-boxes for short) and thus well suited to the environment with limited computing resources, such as smart cards and other portable devices. Using 4 Kbytes of memory, the speed can be substantially increased. In the case of VLSI implementation, the s-boxes can be efficiently implemented using a relatively small number of nand gates.
- Ease of implementation in varios platforms: easy to implement on 8-bit, 16 bit or 32-bit processors, also very efficiente for hardware implementation.
Crypton uses 6 elementary transformations.
We have described attacks on several reduced round versions of the block cipher Crypton. Table 1 summarizes the requirements of the attacks.
In its present form the described attack means no real threat to the full 12-round version of Crypton. However, after the discovery of weak keys [1, 6] of Crypton, this is the second time that the key scheduling of Crypton is brought into discredit.
Attack on Six Rounds of Crypton version 1.0
In a new version of Crypton is proposed, Crypton version 1.0. We explain briefly how to extend our results to version 1.0, which features two major changes.
Round key derivation in version 1.0